Categories: SecurityWorkspace

‘Hacked’ Go Daddy Sites Serve Up Ransomware

Doman Name Server (DNS) records of Go Daddy-hosted websites have been compromised, potentially placing many at risk of being infected with malware known as ransomware.

By hacking DNS records, cyber crooks have been able to add one or more subdomains with corresponding DNS entries, so some visitors who access affected webpages are sent to malicious websites. Where hackers tricked people into visiting those subdomains, malware may have been downloaded onto victims’ machines. Such attacks are good at getting around security protections.

“The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers,” a blog post from security firm Sophos read. “This enables the attackers to use legitimate-looking URLs in their attacks, which can help to evade security filtering and trick users into thinking the content must be safe.”

Normally, as illustrated, victims can see they are at the wrong site, using the IP address, but this attack has apparently got round that.

Cool ransomware

From there, code runs, and exploit kit called ‘Cool’ is deployed and ransomware installed.

The ransomware served depends on the country of origin. In the UK, it is malware posing as a legitimate message from the Met’s Police e-Crime Unit (PCeU). It locks the computer, on the grounds that the computer was guilty of “unauthorised cyberactivity”, asking for payment to unlock it.

It remains unclear how the Go Daddy DNS records were hacked. The company had not responded to a request for comment at the time of publication.

Sophos suggested a likely cause was compromised user credentials, but was unable to check this as Go Daddy does not allow users to check historical login activity. “Enabling users to view historical login activity is a very simple way of helping to spot malicious activity early. Let’s hope Go Daddy change their stance on this,” the security firm added.

“Given the prevalence of attacks against web sites for the purpose of malware distribution it is high time that associated services (Registrars, hosting providers etc) pay adequate consideration to security.

“Users should not be allowed to use weak passwords. Two-factor authentication should be readily available, if not enforced.” Sophos has also contacted Go Daddy about the attacks.

In September, it was rumoured Go Daddy had been hacked, but the company said downtime was due to “a series of internal network events that corrupted router data tables”.

Think you’re a security pro? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • You may be interested that right now, i'm on the phone with GoDaddy regarding this very same issue..

    my site http://www.foundersgyan.com has been injected with several subdomain entires

    28j.foundersgyan.com/
    7ot.foundersgyan.com/
    etc.

    All of these are being redirected to http://185.38.184.156 which is being blocked by my Anti-virus.

    I'm pretty sure GoDaddy is not going to comment on this and just will solve the issue again without further action

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

15 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

18 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

19 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

20 hours ago